def _set_password_config(self):
common.backup("/etc/shadow")
path = "/etc/login.defs"
common.backup(path)
params = {
"PASS_MAX_DAYS": "365",
"PASS_MIN_DAYS": "7",
"PASS_WARN_AGE": "7"
}
common.change_parameters(path, params)
# inactive password lock
common.run("useradd -D -f 30")
current_user = common.input_text("What is the current username")
users = common.get_current_users()
for user in users:
if user == current_user:
continue
common.run_full("chage --lastday $(date +%Y/%m/%d) {}".format(user))
common.run("chage --maxdays 365 {}".format(user))
common.run("chage --mindays 7 {}".format(user))
common.run("chage --warndays 7 {}".format(user))
common.run("chage --inactive 30 {}".format(user))
common.run("passwd --expire {}".format(user))
def _set_shadow(self):
# sets all system accounts to a no log on shell
common.run_full("awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $1!~/^\\+/ && $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"' && $7!=\"'\"$(which nologin)\"'\" && $7!=\"/bin/false\") {print $1}' /etc/passwd | while read user; do usermod -s $(which nologin) $user; done")
# locks all non root system accounts
common.run_full("awk -F: '($1!=\"root\" && $1!~/^\\+/ && $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!=\"L\" && $2!=\"LK\") {print $1}' | while read user; do usermod -L $user; done")
# sets root group uid to 0
common.run("usermod -g 0 root")
def _check_shadow(self):
# check passwords have been changed in the pass
# TODO do this automatically
cmd = "for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo \"$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"; done"
output = common.run_full(cmd)
if output != "":
common.reminder("Ensure these are all in the past:\n" + str(output))
def execute(self):
"""Execute plugin."""
path = "/etc/ssh/sshd_config"
if os.path.isfile(path):
common.backup(path)
else:
common.info("{} not found, skipping SSH".format(path))
return
# set correct permissions
common.run("chown root:root {}".format(path))
common.run("chmod og-rwx {}".format(path))
# some fancy commands that ensure correct permissions on private keys
common.run_full("find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \\;")
common.run_full("find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 0600 {} \\;")
# some fancy commands that ensure correct permissions on public keys
common.run_full("find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \\;")
common.run_full("find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \\;")
params = {
"Protocol": "2",
"LogLevel": "VERBOSE",
"X11Forwarding": "no",
"MaxAuthTries": "4",
"IgnoreRhosts": "yes",
"HostbasedAuthentication": "no",
"PermitRootLogin": "******",
"PermitEmptyPasswords": "no",
"PermitUserEnvironment": "no",
"Ciphers": "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr",
"MACs": "[email protected],[email protected],hmac-sha2-512,hmac-sha2-256",
"KexAlgorithms": "[email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256",
"ClientAliveInterval": "300",
"ClientAliveCountMax": "0",
"LoginGraceTime": "60",
"Banner": "/etc/issue.net",
"UsePAM": "yes",
"AllowTcpForwarding": "no",
"maxstartups": "10:30:60",
"MaxSessions": "4"
}
common.change_parameters(path, params)
common.warn("Not doing anything about ssh access, (groups, users)")
def execute(self):
"""Sets Permissions on Important Files."""
common.set_permissions("/etc/passwd", "root", "root", "644")
common.set_permissions("/etc/shadow", "root", "shadow", "o-rwx,g-wx")
common.set_permissions("/etc/group", "root", "root", "644")
common.set_permissions("/etc/gshadow", "root", "shadow", "o-rwx,g-rw")
common.set_permissions("/etc/passwd-", "root", "root", "u-x,go-wx")
common.set_permissions("/etc/shadow-", "root", "root", "o-rwx,g-rw")
common.set_permissions("/etc/group-", "root", "root", "u-x,go-wx")
common.set_permissions("/etc/gshadow-", "root", "root", "o-rwx,g-rw")
reminder = "Check there are no rouge programs:\n" + common.run_full(
"df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000"
)
common.reminder(reminder)
def execute(self):
"""Remove the packages."""
programs = _list_windows_programs()
# As this will take lots of manual labour, ask if they would like to check each program.
check = common.input_yesno(
"Found {} programs. Would you like to manually check them".format(
len(programs)))
if check is False:
return
i = 0
for program in programs:
i += 1
if program["UninstallString"] is None:
common.warn(
"The program '{}' (by '{}') cannot be automatically removed. If it is of concern please remove it manually."
.format(program["DisplayName"], program["Publisher"]))
continue
if _check_whitelist(program):
common.debug(
"The program '{}' (by '{}') is being skipped as it is whitelisted."
.format(program["DisplayName"], program["Publisher"]))
continue
keep = common.input_yesno(
"({}/{}) Would you like to keep the program '{}' (by '{}')".
format(i, len(programs), program["DisplayName"],
program["Publisher"]))
if not keep:
common.run_full(program["UninstallString"])
common.debug("Removed packages!")
def _change_password(self, user, password):
common.info("Changing password of {0} to {1}".format(user, password))
if "Linux" in plugin.get_os():
common.run_full("echo '{0}:{1}' | chpasswd".format(user, password))
elif "Windows" in plugin.get_os():
os.system("net user \"{}\" \"{}\"".format(user, password))